It’s December and the 2013 cyber security news cycle has just about run its course. We’ve seen more and increasingly virulent attacks, continued “innovation” by adversaries, and a minor revival of distributed denial of services (DDOS) actions perpetrated by hacktivists and other socio-politically motived actors.

Against this, Cisco stood up tall in recognizing the importance of strong security as both an ingredient baked into all Cisco products, services, and solutions, and a growing understanding of how to use the network to identify, share information about, and defeat threats to IT assets and value generation processes. I can also look back at 2013 as the year that we made internal compliance with the Cisco Secure Development Lifecycle (CSDL) process a stop-ship-grade requirement for all new Cisco products and development projects. Read More »

SecCon is our internal security conference, which for the past five years has taken place live in San Jose. Many industry recognized experts over the years have graced the stage, and the security community at Cisco looks forward to each December where we gather together to network and learn about the new threats that face our products. In past years, remote sites around the globe were linked into San Jose, sharing part of the speaker line-up and also giving local security people at remote sites the ability to speak to a local audience. In 2013, for the first time ever, SecCon events were hosted in remote locations.

The goal of these events is twofold: first, to provide high-quality, topical security education to those people responsible for building our products, and second, to growthe security community amongst our engineering population. We believe that security must be part of everyone’s job description at Cisco. We are all part of the security solution, and we use these SecCon events to band together. Read More »

The theme for this year’s SecCon was “Building on a Foundation of Security.” The breadth of topics discussed that are relevant to being a trusted vendor and producing trustworthy products is quite significant. Naturally many of the discussions revolved around the Cisco Secure Development Lifecycle (CSDL), Cisco’s approach to building secure products and solutions. As Graham Holmes mentioned in a recent blog post, CSDL takes a layered approach, with one of the key components being the security of the underlying operating system. As a standard part of the development process, Cisco’s product teams implement a comprehensive set of CSDL requirements to harden the base OS. These requirements were created not only by leveraging Cisco’s significant in-house security expertise, but also drawing from best practices available in the industry.

Cisco SecCon 2012 brought together hundreds of engineers, live and virtually, from Cisco offices around the globe with one common goal: to share their knowledge and learn best practices about how to increase the overall security posture of Cisco products.

It is amazing to see how many definitions the word “hack” has out on the Internet. Just look at Wikipedia: http://en.wikipedia.org/wiki/Hack. In short, the word “hack” does not always mean a “bad” or “malicious” action.

I’ve had the opportunity and honor to present at SecCon several times, 2012 being my fourth year. My session this year was titled “Cisco PSIRT Vulnerability Analysis: What Has Changed Since Last SecCon”. As you probably already know (or might have guessed), I’m part of Cisco’s Product Security Incident Response Team (PSIRT). During my talk I went over an analysis of the vulnerabilities that were discovered, driven to resolution, and disclosed during this past year, as well as lessons learned from them. I also highlighted several key accomplishments Cisco has achieved during the last few years. For example, Cisco now has the ability to correlate and patch third-party software vulnerabilities. Additionally, we have grown Cisco’s Secure Development Lifecycle (CSDL) into a robust, repeatable and measurable process. As Graham Holmes mentioned in a recent blog post:

Our development processes leverage product security baseline requirements, threat modeling in design or static analysis and fuzzing in validation, and registration of third-party software to better address vulnerabilities when they are disclosed. In the innermost layer of our products, security is built-in to devices in both silicon and software. The use of runtime assurance and protection capabilities such as Address Space Layout Randomization (ASLR), Object Size Checking, and execution space protections coupled with secure boot, image signing, and common crypto modules are leading to even more resilient products in an increasingly threatening environment. Read More »

Having recently wrapped up the 5th Annual Cisco SecCon Conference, I’d like to take this opportunity to share with you what Cisco SecCon is and the benefits to our products and you, our customers. With that, let’s start with a brief overview!

What is Cisco SecCon?

SecCon is a security conference for Cisco engineers that focuses on two critical elements for a healthy corporate Security intelligence: 1) expansion of knowledge for all and 2) building a sense of community. We allocate two days for intensive hands-on security training, and then we provide two general session days to discuss a variety of security topics including:

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.